Systems and methods for accessing a wireless network

ABSTRACT

A network access manager of a local network may be used to provide access to unauthorized users on the local network. A request may be received from an authorized user of the network to allow the unauthorized users access to the network. A message may be sent to the unauthorized users to invite the unauthorized users to join the network. An authentication token may be received by the network access manager that authenticates the identity of one of the unauthorized users. The network access manager may validate the identity of the unauthorized user using the authentication token. The network access manager may provide a credential required to access the network to the unauthorized user. The unauthorized user may join the network using the credential.

BACKGROUND

In order to provide wireless network access to unauthorized users, anauthorized user on the network typically supplies the unauthorized userwith a wireless network access credential, such as a password, and theunauthorized user may enter the credential in order to gain access tothe network. This process can be cumbersome. Sometimes multipleunauthorized users request access at the same time, and the authorizeduser must help each unauthorized user through the process. Also, theprocess sometimes needs to be repeated every time the same unauthorizeduser attempts to access the network. Improvements in managing wirelessnetwork access are needed.

SUMMARY

Systems, methods, and apparatus for providing access to a wirelessnetwork are described herein. An authorized user (e.g., an owner) of awireless network may desire to provide access to the network to one ormore other users that are unauthorized to access the network. Theauthorized user may send a request to a computing device on the networkindicating that the one or more other users should be provided access tothe network. The computing device may comprise, for example, a networkaccess manager. The network access manager may determine a credentialfor accessing the network and may send a message to each of the otherusers comprising an invitation to access the network. The message maycomprise an address, such as a uniform resource locator (URL),associated with a network location from which one or more of the otherusers may initiate a process of joining the network. The message mayadditionally, or alternatively, comprise an encrypted wireless networksettings object. The encrypted wireless network settings object maycomprise one, or both, of an identifier of the network and/or thecredential for accessing the network.

The network access manager may receive an authentication token from oneof the unauthorized users. The token may be associated with a serviceprovider. The network access manager may validate the token with theassociated service provider. Additionally, the network access managermay validate that the identity of the unauthorized user associated withthe token is associated with one of the unauthorized users that receivedthe message to join the network. Based on a successful validation of thetoken and validation of the unauthorized user's identity, the networkaccess manager may send the unauthorized user an unencrypted version ofthe wireless network settings object, allowing the unauthorized user toaccess the network.

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter. Furthermore,the claimed subject matter is not limited to limitations that solve anyor all disadvantages noted in any part of this disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an example system.

FIG. 2 shows an example method.

FIG. 3 shows an example method.

FIG. 4 shows an example method.

FIG. 5 shows an example method.

FIG. 6 shows an example method.

FIG. 7 shows an example computing system.

Aspects of the disclosure will now be described in detail with referenceto the drawings, wherein like reference numbers refer to like elementsthroughout, unless specified otherwise.

DETAILED DESCRIPTION

In order to provide wireless network access to users (e.g., guests), anauthorized user of the network (e.g., a network owner) typically has tosupply the user with a wireless network access credential, such as apassword, and the user must enter the credential manually in order togain access to the network. This process can be cumbersome. Sometimesmultiple users request access at the same time, and the authorized usermust help each user through the process individually. Also, the processmay need to be repeated every time the same user attempts to access thenetwork. Additionally, the process typically allows each user to gainaccess to the identity of the credential, which may increase the risk ofthe credential falling into the hands of an unwanted entity.

With the proliferation of the internet in everyday life, there areincreasingly many online profiles associated with individuals.Individuals are increasingly able to link their online profiles to oneanother, and/or to a central profile associated with the individual. Itis desirable for authorized users on a network to provide a way forunauthorized users to access the network without the authorized userhaving to reveal the identity of the credential, while also allowing theapproach to be scaled to multiple unauthorized users that wish to haveaccess to the network.

Traditional wireless network access methods typically require theauthorized user to provide an unencrypted version of the networkcredential to unauthorized users. The more unauthorized users that haveaccess to the network credential, the more likely that the network maybecome compromised. Additionally, because the credential may beunencrypted, it may be possible for unauthorized users to share thecredential with third parties that were never intended to have access tothe wireless network.

As technologies evolve, new systems arise that can more readily linkmultiple accounts associated with an individual. Additionally, newtechnologies are increasing the ability for unrelated services to safelyauthorize an individual without sharing the individual's credentialbetween the services.

Disclosed herein are systems, devices, and methods for more easilysharing access to a wireless network with one or more other users, suchas unauthorized users or guests. Access to a wireless network may beprovided to one or more users without revealing a network credential tothe users. A user authorized to provide access to the network, such as anetwork owner may share encrypted credentials with users so that even ifthe credential falls into the wrong hands, it is not revealed to any badactors.

FIG. 1 shows an example system in which the present systems, methods,and apparatus may be implemented. As shown in FIG. 1 , a system 100 maycomprise at least one network 101, and the network may comprise anetwork access manager 102 and a network access point 103. The system100 may further comprise a network owner device 104, one or more userdevices 105, and one or more service providers 106. The one or moreservice provider devices 106 may be one or more trusted entities capableof authenticating a user's identity. The network owner device 104, theone or more user devices 105, and the one or more service providers 106may be in communication with the network 101.

The network 101 may provide access to one or more user devices,including both user devices associated with the network owner 104 and/oruser devices associated with one or more users 105. Non-limitingexamples of a network 101 include an internet service provider (ISP)network, a cloud computing network, a local area network (LAN), a Wi-Finetwork, a wide area network (WAN), a satellite network, the internet,or any combination thereof. The network can facilitate communicationamong multiple entities, including the network owner device 104, theuser devices 105, service providers 106, and content providers. Thenetwork owner device 104 and the user devices 105, that may have accessto the network 101, can receive content transmitted from the network101. Such content may comprise, as non-limiting examples, video data,audio data, text data, or the like.

Video data may comprise any video content produced for viewerconsumption. Video content may comprise pre-recorded video programs,live video programs streamed to viewers, or any other video contentbroadcast to users via radio, cable, satellite, or other method. Audiodata may comprise any audio content produced for listener consumption.Audio content can comprise pre-recorded songs or other pre-recordedaudio data, live audio programs streamed to listeners, such as a radiotalk show, or the like. Text data may comprise any textual or pictorialcontent produced for viewer consumption. Textual data may comprise, forexample, e-books, comics, or other pictures associated with videocontent.

The network 101 may comprise a network access manager 102 that monitorsand authorizes users to access the network. A network access manager 102may comprise software that detects and manages users attempting toaccess the network. A network access manager 102 may enforceaccessibility to the network 101 through the use of authorizing useridentities to allow user access to the network 101. The network accessmanager 102 may use any number of known protocols to enforceaccessibility requirements to allow access to the network 101.

The network 101 may also comprise a network access point 103. Thenetwork access point 103 may be a device that transmits and receivesdata over a wireless network, for example, a wireless local area network(WLAN). The network access point 103 may be implemented asnon-transitory computer-readable instructions within the networkinfrastructure. The network access point 103 may comprise a hardwaredevice itself, that acts as a connection between wireless devices and awired or wireless network. The network access point 103 may act as aportal for users and devices attempting to gain access to the network101. For example, the network access point 103 may be implemented withinthe network 101 by directly wiring the network access point 103 into awired LAN. The network access point 103 may be wirelessly connected to aLAN. Network access points 103 may support several devices and usersattempting to access the network 101 simultaneously.

The system 100 may comprise a gateway 107. The gateway 107 may comprisea computing device. The gateway may comprise a network access manager102. The gateway 107 may comprise a network access point 103. Thegateway 107 may be configured to enable devices at the premises 108 toestablish a wired or wireless connection to the gateway 107 for purposesof communicating with the gateway 107 and other network apparatusesbeyond the gateway 107, such as the network 101. The gateway 107 mayestablish the wired or wireless connection to devices at the premises108 via the network access manager 102 and/or the network access point103. The gateway 107 may be configured to establish a wired and/orwireless local area network to which devices at the premises 108, suchas the network owner device 104 and/or the user device 105 may connect.For purposes of communicating wirelessly, the gateway 107 may implementa wireless access technology, such as the IEEE 802.11 (“Wi-fi”) radioaccess technology. In other implementations, other radio accesstechnologies may be employed, such as IEEE 802.16 or 802.20 (“WiMAX”),IEEE 802.15.4a (“Zigbee”), or 802.15.3c (“UWB”). For purposes ofcommunicating with the gateway 107 via a wired connection, the gateway107 may be configured to implement a wired local area networktechnology, such as IEEE 802.3 (“Ethernet”), or the like.

The gateway 107 may comprise a router. The gateway 107 may comprise amodem. The gateway 107 may be configured to provide a first connectionto the network 101 via a service provider network, such as a networkoperated by a cable television system operator or other communicationsservice provider. The service provider network may comprise any of avariety of types of networks, such as, for example, a coaxial cablenetwork, a fiber-optic cable network, a hybrid fiber-coaxial (HFC)network, a satellite transmission channel, a DSL connection, or thelike.

The gateway 107 may be configured to receive data traffic from devicesat the premises 108, such as via a Wi-Fi network established by thegateway 107 at the premises 108. The gateway 107 may be configured toroute the data traffic to the network 101 via the first connection tothe network 101.

The network owner device 104 may be associated with an owner of thenetwork 101. The network owner may also be an authorized user of thenetwork 101. The network owner may connect to the network 101 from auser device 104. The network owner device 104 may comprise any number ofuser devices. As non-limiting examples, user devices may comprise, forexample, a computer, a laptop, a tablet, a mobile phone, a PDA, a gamingconsole, or the like. The network owner may be associated with a singlenetwork owner device 104, or the network owner may be associated withseveral user devices. If the network owner is associated with severaluser devices, one or more of the user devices may be able to access thenetwork 101. The network owner may have additional privileges withrespect to the network 101 than other users, including unauthorizedusers and authorized users, both of which may be associated with one ormore user devices 105. For example, a network owner may be able to,using the network owner device 104, change settings on the network 101,including, but not limited to, changing the accessibility settings ofthe network 101, changing a credential associated with accessing thenetwork 101, limiting the number total user devices that may beassociated with the network 101 at any one time, limiting the number oftotal users (regardless of number of user devices) that may beassociated with the network 101 at any one time, and so on.

The user device 105 (e.g., guest device) may not be associated with thenetwork 101. The user may not have access to the network 101. The userdevice 105 may be an unauthorized user device of the network 101. Theuser device 105 may attempt to connect to the network 101 The userdevice 105 may be associated with any number of user devices. Asnon-limiting examples, a user device 105 may comprise a computer, alaptop, a tablet, a mobile phone, a PDA, a gaming console, or the like.The user may be associated with a single user device 105, or the usermay be associated with several user devices 105. If the user isassociated with several user devices 105, one or more of the userdevices 105 may be able to access the network 101. The user device 105may have less privileges with respect to the network 101 than thenetwork owner device 104. The user device 105 may be one of one or moreuser devices 105. Each of the user devices 105 may have the sameprivileges to connect to and/or change settings on the network 101.Alternatively, one or more user devices 105 may have more or lessprivileges with respect to the network 101 than one or more other userdevices 105. For example, a user device 105 may not be able to changesettings on the network 101. Alternatively, a different user device 105may be able to change settings on the network 101, including, but notlimited to, changing the accessibility settings of the network 101,changing a credential associated with accessing the network 101,limiting the number total user devices that may be associated with thenetwork 101 at any one time, limiting the number of total users(regardless of number of user devices) that may be associated with thenetwork 101 at any one time, and so on.

The service providers 106 may comprise a single service provider 106 orone or more service providers 106. One service provider 106 may beassociated with a single user device 105 or may be associated with oneor more user devices 105. Service providers 106 may be entities capableof authenticating an identity associated with a user and/or a userdevice 105. Service providers 106 may be social media companies, such asFacebook, Twitter, Myspace, or the like. Service providers 106 may beother entities that are associated with the identity of users, such asGoogle, Apple, Spotify, or the like. A service provider 106 may hold oneor more pieces of information associated with the identity of a user.For example, a user may create a profile associated with the user'sidentity on one service provider 106, Facebook, for example, and theservice provider may be able to associate the profile with the identityof the user, or the identity of a user device associated with the user105. A service provider 106 may correlate personal data related to auser with a profile associated with the service provider 106. In thatway, the service provider 106 may create and keep a profile of all knowndata associated with a single user or other user.

The network access manager 102 may receive and send communications tothe network owner device 104. The communications may be sent wirelesslyor through a wired connection. The network owner device 104 maycommunicate with the network 101 via the network access manager 102 torequest access for one or more user devices 105 to be authorized toaccess the network 101. The network access manager 102 may be configuredto accept the network owner device's 104 request to grant access to oneor more user devices 105.

The network access manager 102 may communicate with the network accesspoint 103 to pass on the request from the network owner device 104 toallow access to the network 101 for one or more user devices 105. Thenetwork access manager 102 may provide a credential for accessing thenetwork 101 to the network access point 103. The network access manager102 may communicate with the one or more user devices 105. In oneexample, the network access manager 102 may send a message including aninvitation to join the network 101 to the one or more user devices 105.In another example, the one or more user devices 105 may send acommunication to the network access manager 102 to request access to thenetwork 101.

A user associated with a user device 105 may send a request to a serviceprovider 106 for a token, and the token may authenticate the identity ofthe user. The service provider 106 may access its own database or anyother database it is authorized to access to discover whether the useris associated with the service provider 106. If the service provider 106finds a profile or database that matches the identity of the user, theservice provider may provide an authentication token to the user device105 associated with the user, indicating that the service provider 106is associated with the user and/or the user device 105. Theauthentication token may indicate that the user device 105 is associatedwith user data associated with the service provider. The user, via theuser device 105, may present the token from the service provider 106 andthe message comprising the invitation from the network access manager102 to the network access manager 102 for authorization. The user maypresent the required information to the network access point 103, or toanother module associated with the network 101 for authenticating a useridentity or authorizing the user to access the network 101. The user maybe authorized and allowed access to the network. The authorization mayallow the user to access the network from the user device 105.

The network access manager 102 may allow a user device 105 to access thenetwork 101 in this way, without having to reveal the identity of apassword or other credential required to access the network 101. Thenetwork access manager 102 may send the credential to the network accesspoint 103, and the network access manager 102 may send the invitation tothe user device 105. The invitation may comprise at least one of anindication of the credential and an identity of the network 101. Theuser device 105 may request an authentication token from a serviceprovider 106. The user device 105 may receive, from the service provider106, a token authenticating an identity associated with the user device105. The user may present the token and the invitation to the networkaccess point 103. The network access point 103 may send the token to theservice provider 106. The network access point 103 may receive, from theservice provider 106, confirmation that the token is valid. The networkaccess point 103 may determine the user device 105 associated with thetoken is the same user device 105 associated with the invitation. Thenetwork access manager 103 may determine to authorize the user device105 to access the network 101.

FIG. 2 shows an example method. The method of FIG. 2 may be used toprovide an invitation to one or more users to access a network. Asshown, a 1^(st) user device 204 may send a message to a network accessmanager 102 requesting that a 2^(nd) user device 205 be given access toa network associated with the network access manager 102 and the networkaccess point 103. The 1^(st) user device 204 may be associated with anowner of the network. The 1^(st) user device 204 may be associated withan authorized user of the network. The 1^(st) user device 204 may, forexample, be the network owner device 104 of FIG. 1 . network accessmanager 102 The 2^(nd) user device 205 may comprise a user device 105 ofFIG. 1 .

The request from the 1^(st) user device 204 may comprise anidentification of the 2^(nd) user device 205 to be granted access to thenetwork. The identification of the 2^(nd) user device 205 may compriseany identifier that properly identifies a user and/or a user device. Asnon-limiting examples, the identification may comprise an email addressof the user, a cell phone number associated with the 2^(nd) user device205, a cell phone number associated with the user different than thecell phone number associated with the user device 205, an identifierassociated with a social media platform and the user, or the like. Inthis way, the network access manager 102 may be able to instruct thenetwork access point 103 about which user or user device to allow accessto the network. The network access manager 102 may receive the requestfrom the 1^(st) user device 204. The network access manager 102 maygenerate a cryptographically strong random passphrase or othercredential. The passphrase may be a WPA2 or WPA3 passphrase, forexample. The network access manager 102 may send the passphrase orcredential to the network access point 103.

The network access manager 102 may send a message to the 2^(nd) userdevice 205 with an invitation to join the network. The invitation maycomprise a payload, or other information, including an encrypted object.The object may be a Wi-Fi settings object, or any other suitable object.The invitation and/or payload may also comprise an address to be used toinitiate the process of the joining the network. For example, theaddress may be a uniform resource locator (URL) that directs the 2^(nd)user device 205 to a specific web page. The web page may compriseinstructions or information to allow the 2^(nd) user device 205 to beginthe process of accessing the network. The object may comprise anidentifier of the network. For example, the identifier may be a ServiceSet Identifier (SSID) of a wireless network. The identifier may be anyother identifier suitable for identifying a network, including, forexample, a LAN, a WAN, a satellite network, or the like. The object mayalso, or alternatively, comprise the credential created by the networkaccess manager 102. The object may also comprise all three of thesefeatures. That is, the object may comprise an address to be used toinitiate the process of joining the network, the identifier of thenetwork, and the credential necessary to gain access to the network. Theobject may also comprise any additional information useful forauthorization of a user device on a network. For example, the object mayalso comprise a basic service set identifier (BSSID) of a network or anauthorization key management (AKM) suite.

While FIG. 2 shows a 1^(st) user device 204 and a 2^(nd) user device205, it is understood that there may be other user devices associatedwith the network owner and there may be additional user devices desiringto access the network. For example, multiple user devices may sendrequests to the network access manager 102 requesting that a single userdevice be given access to the network. Alternatively, or in combination,one or more user devices may request access for multiple other userdevices to have access to the network. Such examples are non-limitingand merely meant to provide additional examples of how user devices mayrequest access to the network for other, unauthorized user devices.

FIG. 3 shows another example method. The method of FIG. 3 . may be usedto validate a credential associated with a user and to provide the useraccess to a network. The method of FIG. 3 may be performed inconjunction with the method of FIG. 2 . The method of FIG. 3 may beperformed after the method of FIG. 2 .

As shown in FIG. 3 , a 2^(nd) user device 205 may send a request to aservice provider 106 c associated with the 2^(nd) user device 205 torequest a token. The token may comprise any type of token used toauthorize the identity of a user. As one non-limiting example, the tokenmay comprise an Open Authentication token (OAuth token). The serviceprovider 106 c may search internally to determine whether the 2^(nd)user device 205 is associated with the service provider 106 c. If theservice provider 106 c determines that the 2^(nd) user device 205 isassociated with the service provider 106 c, it may return a token to the2^(nd) user device 205. The 2^(nd) user device 205 may request access tothe network and may send the token to the network access manager 102.Additionally, or alternatively, the 2^(nd) user device 205 may send theobject that it receives from the network access manager 102 back to thenetwork access manager 102.

The network access manager 102 may present the token to the indicatedservice provider 106 c that supplied the token to the 2^(nd) user device205 to check for validity of the token and authenticate the identity ofthe 2^(nd) user device 205. The network access manager 102 may receiveinformation that the token is invalid with respect to the serviceprovider 106 c. The network access manager 102 may deny the 2^(nd) userdevice 205 access to the network. The network access manager 102 mayreceive information that the token is a valid token associated with theservice provider 106 c. The network access manager 102 may validate theidentity of the 2^(nd) user device 205. The network access manager 102may compare the identity of the 2^(nd) user device 205 according to theidentity presented in the token with the identity associated with theobject that the 2^(nd) user device 205 returned to the network accessmanager 102. The network access manager 102 may determine the identitiesin both the token and the returned object match. The network accessmanager 102 may send a decrypted form of the object to the 2^(nd) userdevice 205. The 2^(nd) user device 205 may extract the information inthe object. The information in the object may comprise any one or moreof: the address to be used to initiate the process of joining thenetwork, the identifier of the network, and the credential necessary toaccess the network. The information in the object may additionally, oralternatively comprise a BSSID, an AKM suite, or any other informationuseful for authorization with the network. The 2^(nd) user device 205may use the decrypted information to access the network. The informationmay be automatically presented from the 2^(nd) user device 205 to thenetwork access point 103 or to the network access manager 102 in orderto grant access to the network for the 2^(nd) user device 205 withoutrevealing the information in the object to any one or more usersassociated with the 2^(nd) user device 205.

While FIG. 3 shows a 1^(st) user device 204 and a 2^(nd) user device205, it is understood that there may be other user devices associatedwith the network owner and there may be additional user devices desiringto access the network. For example, multiple user devices may sendrequests to the network access manager 102 requesting that a single userdevice be given access to the network. Alternatively, or in combination,one or more user devices may request access for multiple other userdevices to have access to the network. Such examples are non-limitingand merely meant to provide additional examples of how user devices mayrequest access to the network for other, unauthorized user devices.

FIG. 4 shows an example method 400. The method 400 may be used toprovide a user device access to a network. The method may be performed,for example, by a network access manager 102. A first user may haveaccess to the network. The first user may be an owner of the network, orthe first user may be any user authorized to make changes to and/or toinvite additional users to access the network. The first user may accessthe network via a first user device 204. The first user device maycomprise, for example, a desktop computer, a laptop computer, a tablet,a mobile device, a PDA, a gaming console, or the like.

The method 400 may be used to provide access to the network for a seconduser not initially authorized to access the network. The second user maybe one user of one or more users that are not authorized to access thenetwork. The second user may be, for example, a guest at the locationassociated with the network. For example, the second user may be locatedat a premises served by the network at that premises.

The first user may be associated with one user device on the network, orthe first user may be associated with multiple user devices on thenetwork. The first user may only be able to request access on thenetwork for the second user using a specific user device, or a specificset of user devices. The first user may be able to request access on thenetwork for the second user using any user device. The first user mayrequest access on the network for the second user. The second user maybe able to authorize and access the network for a specified period oftime. For example, the second user may have 24 hours to authorize andaccess the network upon the first user requesting access on the networkfor the second user. The second user may only be able to access thenetwork during a specified window of time. In one example, the seconduser may only be able to access the network for a 12 hour period, a 24hour period, a 48 hour period, or a one week period after the first userrequests access on the network for the second user.

At step 402, a network access manager, or other component of a network,may receive a request from a first user to grant a second user access tothe network. The network access manager may be a set of computerreadable instructions that provide for device authorization for accessto the network. The network access manager may operate a series ofpolicies to determine when unauthorized users are authorized to accessthe network. The first user may be authorized to grant access to other,unauthorized users to gain access to the network. In such a scenario,the network access manager may begin the process of allowing the seconduser to gain access to the network.

The network access manager may determine a passphrase or a credentialrequired for accessing the network. The passphrase or credential may, asnon-limiting examples, be WPA2 or WPA3 passphrases. The credential maybe a cryptographically strong credential to prevent a breach of thecredential, which could allow access to the network to an unauthorizedentity. The credential may be randomly generated by the network accessmanager.

At step 404, the network access manager may send a message to the seconduser. The message may comprise an invitation to join the network.Alternatively, other components in the network may send the message andinvitation to the second user. Additionally, the second user may be oneuser of one or more users. The network access manager may send themessage with an invitation to join the network to multiple, or to eachof the users of the one or more users. The message may be the same forall users. The message may be different for each user, or different forsome of the users of the one or more users. Additionally, the invitationmay be the same in each message, or the invitation may be different forsome, or all of the one or more users.

At step 406, the network access manager may receive a token indicativeof a service provider from the second user. The token may be indicativeof an identity of the user from the service provider. For example, theservice provider may be a social media platform. As another example, theservice provider may be Google. The token may be an authenticationtoken, such as an OAuth token. The token may serve to identify thesecond user's identity without revealing the second user's personal datato the network or the network access manager.

The second user may be one user of one or more users that are notauthorized on the network and are not authorized to access the network.Where there are multiple unauthorized users, each of the unauthorizedusers may present a token to the network or the network access manager.Each token may represent the identity of the unauthorized user thatprovided the token to the network access manager. In one example, eachof the unauthorized users present a token from the same serviceprovider. Alternatively, some, or all of the tokens presented by theunauthorized users may come from different service providers.

Each of the tokens may be of the same type. For example, each token maybe an OAuth 2.0 token. The tokens may be of different types. Forexample, one or more tokens presented by one or more unauthorized usersmay be bearer scheme tokens, such as an OAuth 2.0 token, while othertypes of tokens presented may be of a different type, such as a digestscheme token, for example an OAuth 1.0 token.

At step 408 the network access manager may send the received token tothe associated service provider. For example, the second user mayrequest a token from a social media platform and provide the token tothe network access manager. The network access manager may provide thetoken to the social media platform for validation. The validation mayinvolve requesting the social media platform to confirm or deny avalidity of the token.

If, for example, the service provider responds with a denial that thetoken is valid, the network access manager may determine that the seconduser is not authorized to access the network. If the token is determinedvalid, the method may continue to step 410

At step 410, the network access manager may determine that the seconduser is authenticated. The network access manager may determine that thesecond user is authorized to access the network. The network accessmanager may send the credential associated with accessing the network tothe second user. The credential may be a cryptographically strongpassphrase necessary to access the network. In some cases, thecredential may comprise an identifier of the network, such as thenetwork SSID. In other cases, the credential may comprise both thenetwork identifier and the passphrase or other password necessary toaccess the network.

The network access manager may provide the credential to the second userin an accessible format. For example, the credential may be sent to thesecond user in an unencrypted format, so that the second user maypresent the unencrypted credential to any suitable component associatedwith the network to gain access to the network. In some examples, thesecond user may provide the credential to a network access point. Thenetwork access point may accept the credential, and if it matches acredential previously supplied to the network access point, the networkaccess point may allow the second user to access the network.

FIG. 5 shows an example method 500. The method 500 may be used toprovide an invitation to one or more users to access a network. Themethod may be performed, for example, by a network access manager, suchas the network access manager 102 of FIG. 1 . The method 500 may beperformed to receive a request for a user to gain access to a networkand to provide the user with an invitation to join the network. Themethod 500 may be performed to receive a request from a first useralready authorized on the network, wishing to grant authorization to asecond user to access the network. The second user may be granted accessto the network for a specified period of time, during a specified windowof time, indefinitely, or the like.

At step 502, a network access manager of a network may receive a requestfrom a first user to grant access to the network to a second user. Thefirst user may be an owner of the network, or the first user may beauthorized to request access to the network for other users. The seconduser may be an unauthorized user on the network.

The network access manager may generate a credential associated withgaining access to the network. The credential may be a cryptographicallystrong passphrase required to gain access to the network. The networkaccess manager may send an indication of the credential to a networkaccess point associated with the network. The credential may beassociated with an individual user, a specific group of users, or allusers. For example, the network access manager may generate a firstcredential associated with a first user. The network access manager maygenerate a second credential associated with a second user. The networkaccess manager may send either one, or both, of the first credential andthe second credential to the wireless access point. The network accesspoint may be a computing device configured to allow certain users accessto the network. The network access point may be wirelessly connected tothe network, or the network access point may be connected to the networkin a wired fashion. The network access point may allow several usersand/or user devices to access the network at a same time, or the networkaccess point may only allow a single user to access the network at atime.

At step 504, the network access manager may generate a message. Themessage may comprise an invitation to join the network. The message andthe invitation may be generated for the second user so that the seconduser can gain access to the network. The message and/or the invitationmay comprise an address associated with initiating the process ofjoining the network. The address may be a URL, or it may be any otheraddress. The message and/or the invitation may also comprise an object.The object may be a Wi-Fi settings object. The object may comprise anidentifier of the network. In one example, the identifier may be an SSIDof the network. The object may also comprise the credential generated bythe network access manager. The object may be encrypted. The object mayalso comprise additional information helpful in authorizing a user at anetwork, including a BSSID, an AKM suite, or the like.

The network access manager may send the message to the second user. Themessage and the invitation may allow the second user to initiate aprocedure to access the network, and the message and invitation maycomprise information necessary to obtain authorization to access thenetwork. The second user may be one user of one or more users attemptingto gain access to the network. The message and invitation may be thesame for each user of the one or more users. The message and invitationmay be the same for some users of the one or more users and the messageand invitation may be different for some users of the one or more users.The message and invitation may be different for each of the users of theone or more users.

At step 506, the network access manager may receive a token from thesecond user. The token may be associated with a service provider of oneor more service providers. The token may indicate an authentication ofan identity associated with the second user. The second user may be anindividual user requesting access to the network. The steps performedherein may be directed toward an individual, unauthorized user. Thesecond, unauthorized user may be one user of one or more unauthorizedusers. The network access manager may receive a token from each one ofthe unauthorized users of the one or more unauthorized users. More thanone unauthorized user may send a token to the network access manager,but less than all of the unauthorized users may send a token to thenetwork access manager. The unauthorized users that do not send a tokento the network access manager may not be able to access the network.

Where the network access manager receives multiple tokens (one tokeneach from multiple unauthorized users), the tokens may all originatefrom the same service provider. The tokens may come from one or moreservice providers, up to the point where each token may originate from adifferent service provider of the one or more service providers. Thenetwork access manager may validate each token with the service providerassociated with each token. The token may represent an authenticationtoken, such as an OAuth 2.0 token, or any other suitable token.

At step 508, the network access manager may send, to the serviceprovider, data associated with the token to determine a validity of thetoken. The network access manager may receive multiple tokens from oneor more service providers. The network access manager may attempt tovalidate each token individually with the service provider associatedwith each individual token. An unauthorized user may present multipletokens. The multiple tokens may each be from the same service provider,or the multiple tokens may each be from different service providers.

Furthermore, the network access manager may attempt to validate thetoken with the service provider associated with the token, and the tokenmay be invalid. The network access manager may reject the unauthorizeduser from accessing the network based on the invalid token. In somecases, the unauthorized user may return to the service provider toattempt to obtain a new token to validate the unauthorized user'sidentity. In some cases, the new token may be the same token as thefirst token. In some cases, the new token may be a different tokenassociated with the same service provider, or the new token may beassociated with a different service provider.

At step 510, the network access manager may validate that theunauthorized user is associated with an object that was provided to theunauthorized user. For example, in the message sent to an unauthorizeduser, the message may comprise an invitation, and the message and/or theinvitation may comprise an object. The object may comprise an identifierof the network and/or a credential necessary to gain access to thenetwork. Additionally, the object may comprise any other informationrelevant in authorizing a user to access the network.

The message originally sent to the unauthorized user may comprise anencrypted object. The network access manager may receive the token andthe object from the unauthorized user. The network access manager maysend a different version of the object to the unauthorized user. Thedifferent version of the object may be an unencrypted version of theobject.

The different version of the object sent to the unauthorized user maycomprise an accessible version of an identifier of the network. Thedifferent version of the object sent to the unauthorized user maycomprise an accessible version of a credential associated with thenetwork. The different version of the object may comprise both theaccessible version of the network identifier and the accessible versionof the credential associated with the network. An accessible version ofeither the network identifier and/or the credential associated with thenetwork may be an unencrypted version of the network identifier and thecredential associated with the network. In one example, the networkaccess manager may validate tokens and object with several unauthorizedusers of one or more unauthorized users. In that case, the networkaccess manager may send the accessible version of the network identifierand the accessible version of the credential associated with the networkto each of the validated unauthorized users.

FIG. 6 shows an example method 600. The method 600 may be performed, forexample, by the network access manager 102 of FIG. 1 . The method 600may be performed to accept a request from an authorized user to grantaccess to a plurality of unauthorized users desiring authorization toaccess to a network. The authorized user may be an owner of the network,or the authorized user may be a user authorized to make changes and/orto invite additional users to access the network. The authorized usermay access the network via a user device. A user device can comprise,for example, a desktop computer, a laptop computer, a tablet, a mobiledevice, a PDA, a gaming console, or the like. The plurality ofunauthorized users may each be associated with a same or a differentuser device as the authorized user.

The plurality of unauthorized users may be one or more unauthorizedusers not authorized to access the network. The plurality ofunauthorized users may be located at the location associated with thenetwork. For example, the plurality of unauthorized users may each belocated at a premises served by a Wi-Fi or other network, including awired network. The plurality of unauthorized users may each be locatedat a different location than the network. One or more of the pluralityof unauthorized users may be located at the location associated with thenetwork, while one or more of the plurality of unauthorized users may belocated at a different location than the network. Additionally, each oneof the plurality of unauthorized users may be located at either the samelocation or at a different location than the authorized user in anycombination. The authorized user and the plurality of unauthorized usersmay use the same user device to access the network. Alternatively, theauthorized user and the plurality of unauthorized users may each usedifferent user devices to access the network.

The authorized user may be associated with one user device on thenetwork, or the authorized user may be associated with multiple userdevices on the network. The authorized user may only be able to requestaccess on the network for one or more of the plurality of unauthorizedusers using a specific user device, or a specific set of user devices.The authorized user may be able to request access on the network for anyone of the plurality of unauthorized users using any user device. Theauthorized user may request access on the network for one or more of theplurality of unauthorized users, the one or more of the plurality ofunauthorized users may only be able to authorize access on the networkfor a specified period of time. For example, the one or more of theplurality of unauthorized users may have 24 hours to authorize andaccess the network after the authorized user requests access on thenetwork for the plurality of unauthorized users. The one or more of theplurality of unauthorized users may only be able to access the networkduring a specified window of time. In one example, the one or more ofthe plurality of unauthorized users may only be able to access thenetwork for a 12 hour period, a 24 hour period, a 48 hour period, or aone week period after the authorized user requests access on the networkfor the plurality of unauthorized users.

At step 602, a network access manager, or other component of a network,may receive a request from an authorized user to grant a plurality ofunauthorized users access to the network. The network access manager maybe a set of computer readable instructions that provide for deviceauthorization for access to the network. The network access manager mayoperate a series of policies to determine when unauthorized users areauthorized to access the network. The authorized user may be authorizedto grant access to other, unauthorized users to gain access to thenetwork. In such a scenario, the network access manager may begin theprocess of allowing the plurality of unauthorized users to gain accessto the network.

At step 604, the network access manager may send, to each of theplurality of unauthorized users, a message. The network access managermay send the same message to each of the plurality of unauthorizedusers, or the network access manager may send multiple differentmessages to some, or all of the plurality of unauthorized users. Themessage may comprise an invitation to access the network. Othercomponents in the network may send the message and the invitation to theplurality of unauthorized users. Additionally, the invitation in themessage may be the same in each message, or the invitation may bedifferent for some, or all of the unauthorized users in the plurality ofunauthorized users.

The invitation may comprise an object, the object optionally furthercomprising an identifier of the network and/or a credential associatedwith accessing the network. The network access manager may determine thecredential required for accessing the network. The passphrase orcredential may, as non-limiting examples, be WPA2 or WPA3 passphrases.The credential may be a cryptographically strong credential to prevent abreach of the credential, which could allow access to the network to anunauthorized entity. The credential may be randomly generated by thenetwork access manager. The identifier of the network may be an S SID orother piece of information that accurately identifies the network.

At step 606, the network access manager may receive a token indicativeof a service provider from a first one of the plurality of unauthorizedusers. The token may be indicative of an identity of the first one ofthe plurality of unauthorized users from the service provider. Forexample, the service provider may be a social media platform. As anotherexample, the service provider may be any entity that collects and/oridentifies personal information associated with users. The token may bean authentication token, such as an OAuth token. The token may serve toidentify the first one of the plurality of unauthorized user's identitywithout revealing the first one of the plurality of unauthorized user'spersonal data to the network or the network access manager.

At step 608 the network access manager may send the received token tothe service provider associated with the token. For example, the firstone of the plurality of unauthorized users may request a token from asocial media platform and provide the token to the network accessmanager. The network access manager may provide the token to the socialmedia platform to validate the first one of the plurality ofunauthorized user's identity. The validation may comprise requesting thesocial media platform to confirm or deny a validity of the token.

If, for example, the service provider responds with a denial that thetoken is valid, the network access manager may determine that the firstone of the plurality of unauthorized users is not authorized to accessthe network. If the token is determined valid, the method may continueto step 610.

At step 610, the network access manager may receive a token indicativeof a service provider from a second one of the plurality of unauthorizedusers. The token may be indicative of an identity of the second one ofthe plurality of unauthorized users from the service provider. Forexample, the service provider may be a social media platform. As anotherexample, the service provider may be any entity that collects and/oridentifies personal information associated with users. The token may bean authentication token, such as an OAuth token. The token may serve toidentify the second one of the plurality of unauthorized user's identitywithout revealing the second one of the plurality of unauthorized user'spersonal data to the network or the network access manager.

At step 612, the network access manager may send the received token tothe service provider associated with the token. For example, the secondone of the plurality of unauthorized users may request a token from asocial media platform and provide the token to the network accessmanager. The network access manager may provide the token to the socialmedia platform for validation of the second one of the plurality ofunauthorized user's identity. The validation may involve requesting thesocial media platform to confirm or deny a validity of the token.

If, for example, the service provider responds with a denial that thetoken is valid, the network access manager may determine that the secondone of the plurality of unauthorized users is not authorized to accessthe network. If the token is determined valid, the method may continueto step 614.

At step 614, the network access manager may send an indication of thecredential associated with accessing the network to both the first andthe second ones of the plurality of users. The credential may be acryptographically strong passphrase necessary to access the network. Insome cases, the credential may comprise an identifier of the network,such as the network SSID. In other cases, the credential may compriseboth the network identifier and the passphrase or other passwordnecessary to access the network.

The network access manager may provide the indication of the credentialto both the first and the second ones of the plurality of unauthorizedusers in an accessible format. For example, the credential may be sentto both the first and the second ones of the plurality of unauthorizedusers in an unencrypted format, so that the first and second ones of theplurality of unauthorized users may present the unencrypted credentialto the network to gain access to the network. In some examples, thefirst and second users of the plurality of unauthorized users mayprovide the credential to a network access point. The network accesspoint may accept the credential, and if the credential matches acredential previously supplied to the network access point, the networkaccess point may allow the first and the second users of the pluralityof unauthorized users to access the network.

FIG. 7 shows an example computing device 700 that may represent any ofthe various devices or entities shown in FIG. 1 , including, forexample, the network 101, the network owner device 104, the user device105, or the service providers 106. That is, the computing device 700shown in FIG. 7 may be any smartphone, server computer, workstation,access point, router, gateway, tablet computer, laptop computer,notebook computer, desktop computer, personal computer, networkappliance, PDA, e-reader, user equipment (UE), mobile station, fixed ormobile subscriber unit, pager, wireless sensor, consumer electronics, orother computing device, and may be utilized to execute any aspects ofthe methods and apparatus described herein, such as to implement any ofthe apparatus of FIG. 1 or any of the methods described in relation toFIGS. 4-6 .

The computing device 700 may comprise a baseboard, or “motherboard,”which is a printed circuit board to which a multitude of components ordevices may be connected by way of a system bus or other electricalcommunication paths. One or more central processing units (CPUs or“processors”) 704 may operate in conjunction with a chipset 706. TheCPU(s) 704 may be standard programmable processors that performarithmetic and logical operations necessary for the operation of thecomputing device 700.

The CPU(s) 704 may perform the necessary operations by transitioningfrom one discrete physical state to the next through the manipulation ofswitching elements that differentiate between and change these states.Switching elements may generally comprise electronic circuits thatmaintain one of two binary states, such as flip-flops, and electroniccircuits that provide an output state based on the logical combinationof the states of one or more other switching elements, such as logicgates. These basic switching elements may be combined to create morecomplex logic circuits including registers, adders-subtractors,arithmetic logic units, floating-point units, or the like.

The CPU(s) 704 may be augmented with or replaced by other processingunits, such as GPU(s) 705. The GPU(s) 705 may comprise processing unitsspecialized for but not necessarily limited to highly parallelcomputations, such as graphics and other visualization-relatedprocessing.

A chipset 706 may provide an interface between the CPU(s) 704 and theremainder of the components and devices on the baseboard. The chipset706 may provide an interface to a random-access memory (RAM) 708 used asthe main memory in the computing device 700. The chipset 706 may providean interface to a computer-readable storage medium, such as a read-onlymemory (ROM) 720 or non-volatile RAM (NVRAM) (not shown), for storingbasic routines that may help to start up the computing device 700 and totransfer information between the various components and devices. ROM 720or NVRAM may also store other software components necessary for theoperation of the computing device 700 in accordance with the aspectsdescribed herein.

The computing device 700 may operate in a networked environment usinglogical connections to remote computing nodes and computer systems ofthe system 100. The chipset 706 may comprise functionality for providingnetwork connectivity through a network interface controller (NIC) 722. ANIC 722 may be capable of connecting the computing device 700 to othercomputing nodes over the system 100. It should be appreciated thatmultiple NICs 722 may be present in the computing device 700, connectingthe computing device to other types of networks and remote computersystems. The NIC 722 may be configured to implement a wired local areanetwork technology, such as IEEE 802.3 (“Ethernet”) or the like. The NIC722 may also comprise any suitable wireless network interface controllercapable of wirelessly connecting and communicating with other devices orcomputing nodes on the system 100. For example, the NIC 722 may operatein accordance with any of a variety of wireless communication protocols,including for example, the IEEE 802.11 (“Wi-Fi”) protocol, the IEEE802.16 or 802.20 (“WiMAX”) protocols, the IEEE 802.15.4a (“Zigbee”)protocol, the 802.15.3c (“UWB”) protocol, or the like.

The computing device 700 may be connected to a mass storage device 728that provides non-volatile storage (i.e., memory) for the computer. Themass storage device 728 may store system programs, application programs,other program modules, and data, which have been described in greaterdetail herein. The mass storage device 728 may be connected to thecomputing device 700 through a storage controller 724 connected to thechipset 706. The mass storage device 728 may consist of one or morephysical storage units. A storage controller 724 may interface with thephysical storage units through a serial attached SCSI (SAS) interface, aserial advanced technology attachment (SATA) interface, a fiber channel(FC) interface, or other type of interface for physically connecting andtransferring data between computers and physical storage units.

The computing device 700 may store data on a mass storage device 728 bytransforming the physical state of the physical storage units to reflectthe information being stored. The specific transformation of a physicalstate may depend on various factors and on different implementations ofthis description. Examples of such factors may comprise, but are notlimited to, the technology used to implement the physical storage unitsand whether the mass storage device 728 is characterized as primary orsecondary storage or the like.

For example, the computing device 700 may store information to the massstorage device 728 by issuing instructions through a storage controller724 to alter the magnetic characteristics of a particular locationwithin a magnetic disk drive unit, the reflective or refractivecharacteristics of a particular location in an optical storage unit, orthe electrical characteristics of a particular capacitor, transistor, orother discrete component in a solid-state storage unit. Othertransformations of physical media are possible without departing fromthe scope and spirit of the present description, with the foregoingexamples provided only to facilitate this description. The computingdevice 700 may read information from the mass storage device 728 bydetecting the physical states or characteristics of one or moreparticular locations within the physical storage units.

In addition to the mass storage device 728 described herein, thecomputing device 700 may have access to other computer-readable storagemedia to store and retrieve information, such as program modules, datastructures, or other data. It should be appreciated by those skilled inthe art that computer-readable storage media may be any available mediathat provides for the storage of non-transitory data and that may beaccessed by the computing device 700.

By way of example and not limitation, computer-readable storage mediamay comprise volatile and non-volatile, non-transitory computer-readablestorage media, and removable and non-removable media implemented in anymethod or technology. However, as used herein, the termcomputer-readable storage media does not encompass transitorycomputer-readable storage media, such as signals. Computer-readablestorage media includes, but is not limited to, RAM, ROM, erasableprogrammable ROM (“EPROM”), electrically erasable programmable ROM(“EEPROM”), flash memory or other solid-state memory technology, compactdisc ROM (“CD-ROM”), digital versatile disk (“DVD”), high definition DVD(“HD-DVD”), BLU-RAY, or other optical storage, magnetic cassettes,magnetic tape, magnetic disk storage, other magnetic storage devices, orany other non-transitory medium that may be used to store the desiredinformation in a non-transitory fashion.

A mass storage device, such as the mass storage device 728 depicted inFIG. 7 , may store an operating system utilized to control the operationof the computing device 700. The operating system may comprise a versionof the LINUX operating system. The operating system may comprise aversion of the WINDOWS SERVER operating system from the MICROSOFTCorporation. According to additional aspects, the operating system maycomprise a version of the UNIX operating system. Various mobile phoneoperating systems, such as IOS and ANDROID, may also be utilized. Itshould be appreciated that other operating systems may also be utilized.The mass storage device 728 may store other system or applicationprograms and data utilized by the computing device 700.

The mass storage device 728 or other computer-readable storage media mayalso be encoded with computer-executable instructions, which, whenloaded into the computing device 700, transforms the computing devicefrom a general-purpose computing system into a special-purpose computercapable of implementing the aspects described herein. Thesecomputer-executable instructions transform the computing device 700 byspecifying how the CPU(s) 704 transition between states, as describedherein. The computing device 700 may have access to computer-readablestorage media storing computer-executable instructions, which, whenexecuted by the computing device 700, may perform the methods describedin relation to FIGS. 4-6 .

A computing device, such as the computing device 700 depicted in FIG. 7, may also comprise an input/output controller 732 for receiving andprocessing input from a number of input devices, such as a keyboard, amouse, a touchpad, a touch screen, an electronic stylus, or other typeof input device. Similarly, an input/output controller 732 may provideoutput to a display, such as a computer monitor, a flat-panel display, adigital projector, a printer, a plotter, or other type of output device.It will be appreciated that the computing device 700 may not compriseall of the components shown in FIG. 7 , may comprise other componentsthat are not explicitly shown in FIG. 7 , or may utilize an architecturecompletely different than that shown in FIG. 7 .

As described herein, a computing device may be a physical computingdevice, such as the computing device 700 of FIG. 7 . A computing devicemay also comprise a virtual machine host process and one or more virtualmachine instances. Computer-executable instructions may be executed bythe physical hardware of a computing device indirectly throughinterpretation and/or execution of instructions stored and executed inthe context of a virtual machine.

It is to be understood that the methods and systems described herein arenot limited to specific methods, specific components, or to particularimplementations. It is also to be understood that the terminology usedherein is not intended to be limiting.

As used in the specification and the appended claims, the singular forms“a,” “an,” and “the” comprise plural referents unless the contextclearly dictates otherwise. Ranges may be expressed herein as from“about” one particular value, and/or to “about” another particularvalue. When such a range is expressed, another example may comprise fromthe one particular value and/or to the other particular value. It willbe further understood that the endpoints of each of the ranges aresignificant both in relation to the other endpoint, and independently ofthe other endpoint.

“Optional” or “optionally” means that the subsequently described eventor circumstance may or may not occur, and that the description comprisesinstances where said event or circumstance occurs and instances where itdoes not.

Throughout the description and claims of this specification, the word“comprise” and variations of the word, such as “comprising” and“comprises,” means “including but not limited to,” and is not intendedto exclude, for example, other components, integers, or steps.“Exemplary” means “an example of.”. “Such as” is not used in arestrictive sense, but for explanatory purposes.

Components and devices are described that may be used to perform thedescribed methods and systems. When combinations, subsets, interactions,groups, etc., of these components are described, it is understood thatwhile specific references to each of the various individual andcollective combinations and permutations of these may not be explicitlydescribed, each is specifically contemplated and described herein, forall methods and systems. This applies to all aspects of this applicationincluding, but not limited to, operations in described methods. Thus, ifthere are a variety of additional operations that may be performed it isunderstood that each of these additional operations may be performedwith any combination of the described methods.

As will be appreciated by one skilled in the art, the methods andsystems may take the form of entirely hardware, entirely software, or acombination of software and hardware aspects. Furthermore, the methodsand systems may take the form of a computer program product on acomputer-readable storage medium having computer-readable instructions(e.g., computer software or program code) embodied in the storagemedium. More particularly, the present methods and systems may take theform of web-implemented computer software. Any suitablecomputer-readable storage medium may be utilized including hard disks,CD-ROMs, optical storage devices, or magnetic storage devices.

The methods and systems are described above with reference to blockdiagrams and flowcharts of methods, systems, apparatuses, and computerprogram products. It will be understood that each block of the blockdiagrams and flowcharts, and combinations of blocks in the blockdiagrams and flowcharts, respectively, may be implemented by computerprogram instructions. These computer program instructions may be loadedon a general-purpose computer, special-purpose computer, or otherprogrammable data processing apparatus to produce a machine, such thatthe instructions which execute on the computer or other programmabledata processing apparatus create a means for implementing the functionsspecified in the flowchart block or blocks.

These computer program instructions may also be stored in acomputer-readable memory that may direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including computer-readableinstructions for implementing the function specified in the flowchartblock or blocks. The computer program instructions may also be loadedonto a computer or other programmable data processing apparatus to causea series of operational steps to be performed on the computer or otherprogrammable apparatus to produce a computer-implemented process suchthat the instructions that execute on the computer or other programmableapparatus provide steps for implementing the functions specified in theflowchart block or blocks.

The various features and processes described herein may be usedindependently of one another or may be combined in various ways. Allpossible combinations and sub-combinations are intended to fall withinthe scope of this disclosure. In addition, certain methods or processblocks may be omitted in some implementations. The methods and processesdescribed herein are also not limited to any particular sequence, andthe blocks or states relating thereto may be performed in othersequences that are appropriate. For example, described blocks or statesmay be performed in an order other than that specifically described, ormultiple blocks or states may be combined in a single block or state.The example blocks or states may be performed in serial, in parallel, orin some other manner. Blocks or states may be added or removed. Theexample systems and components described herein may be configureddifferently than described. For example, elements may be added to,removed from, or rearranged.

It will also be appreciated that various items are shown as being storedin memory or on storage while being used, and that these items orportions thereof may be transferred between memory and other storagedevices for purposes of memory management and data integrity.Alternatively, some or all of the software modules and/or systems mayexecute in memory on another device and communicate with the showncomputing systems via inter-computer communication. Furthermore, some orall of the systems and/or modules may be implemented or provided inother ways, such as at least partially in firmware and/or hardware,including, but not limited to, one or more application-specificintegrated circuits (“ASICs”), standard integrated circuits, controllers(e.g., by executing appropriate instructions, and includingmicrocontrollers and/or embedded controllers), field-programmable gatearrays (“FPGAs”), complex programmable logic devices (“CPLDs”), etc.Some or all of the modules, systems, and data structures may also bestored (e.g., as software instructions or structured data) on acomputer-readable medium, such as a hard disk, a memory, a network, or aportable media article to be read by an appropriate device or via anappropriate connection. The systems, modules, and data structures mayalso be transmitted as generated data signals (e.g., as part of acarrier wave or other analog or digital propagated signal) on a varietyof computer-readable transmission media, including wireless-based andwired/cable-based media, and may take a variety of forms (e.g., as partof a single or multiplexed analog signal, or as multiple discretedigital packets or frames). Such computer program products may also takeother forms. Accordingly, the present invention may be practiced withother computer system configurations.

While the methods and systems have been described in connection withspecific examples, it is not intended that the scope be limited to thespecific examples set forth.

Unless otherwise expressly stated, it is in no way intended that anymethod set forth herein be construed as requiring that its operations beperformed in a specific order. Accordingly, where a method claim doesnot actually recite an order to be followed by its operations or it isnot otherwise specifically stated in the claims or descriptions that theoperations are to be limited to a specific order, it is no way intendedthat an order be inferred, in any respect. This holds for any possiblenon-express basis for interpretation, including matters of logic withrespect to arrangement of steps or operational flow and the plainmeaning derived from grammatical organization or punctuation.

It will be apparent to those skilled in the art that variousmodifications and variations may be made without departing from thescope or spirit of the present disclosure. Alternatives will be apparentto those skilled in the art from consideration of the specification andpractices described herein. It is intended that the specification andexample figures be considered as exemplary only, with a true scope andspirit being indicated by the following claims.

What is claimed is:
 1. A method comprising: receiving, from a firstuser, a request to grant a second user access to a network; sending, tothe second user, a message comprising an indication to access thenetwork; receiving, from the second user, a token indicative of aservice provider associated with the second user, wherein the serviceprovider authenticates an identity of the second user; sending, based onthe receiving the token, and to the service provider, data associatedwith the token; and sending, based on a determination that the token isvalid and to the second user, an indication of a credential foraccessing the network.
 2. The method of claim 1, wherein the first useris an owner of the network and wherein the second user is anunauthorized user on the network.
 3. The method of claim 1, wherein thetoken is an open authentication token associated with the second user.4. The method of claim 1, further comprising: receiving, from the firstuser, a request to grant one or more additional users access to thenetwork; sending, to the one or more additional users, the message;receiving, from at least one of the additional users, a different tokenindicative of a different service provider associated with the at leastone of the additional users; sending, based on the receiving thedifferent token, and to the different service provider, data associatedwith the different token; and sending, based on an additionaldetermination that the different token is valid and to the at least oneof the additional users, the indication of the credential for accessingthe network.
 5. The method of claim 1, wherein the message comprisingthe invitation further comprises a Wi-Fi settings object comprising: anidentifier associated with the network; and the credential.
 6. Themethod of claim 1, wherein the service provider comprises a social mediaentity.
 7. The method of claim 1, further comprising: receiving, from adifferent user, a second token indicative of a second service provider;determining that the identity of the different user associated with thesecond token is different than the identity of the second user; andpreventing access, by the different user, to the indication of thecredential.
 8. A method comprising: receiving, from a first user, arequest to grant a second user access to a network; sending, to thesecond user, a message comprising: an address associated with thenetwork; and an object comprising at least an identifier of the networkand a credential for accessing the network; receiving, from the seconduser, a token indicative of the second user's identity authenticated bya service provider; sending, to the service provider, data associatedwith the token; and sending, based on a determination that the token isvalid, to the second user, a second object comprising at least one of anaccessible version of the identifier of the network or an accessibleversion of the credential.
 9. The method of claim 8, wherein the serviceprovider is a social media entity.
 10. The method of claim 8, whereinthe first user is an authorized user on the network and wherein thesecond user is an unauthorized user on the network.
 11. The method ofclaim 8, wherein the first object is encrypted prior to the sending theinvitation to the second user.
 12. The method of claim 8, wherein the ofthe second object is an unencrypted version of the first object.
 13. Themethod of claim 8, wherein the token is an open authentication tokenassociated with the second user.
 14. The method of claim 8, furthercomprising: receiving, from a third user, a second token indicative of asecond service provider; determining that the identity of the third userassociated with the second token is different than the identity of thesecond user; and preventing access, by the third user, to the indicationof the credential.
 15. A method comprising: receiving, from anauthorized user, a request to grant a plurality of unauthorized usersaccess to a network; sending, to each one of the plurality ofunauthorized users, a message comprising an invitation to access thenetwork; receiving, from a first one of the plurality of unauthorizedusers, a first token indicative of a first service provider associatedwith the first one of the plurality of unauthorized users; determining,based on sending the first token to the first service provider, avalidity of an identity of the first one of the plurality ofunauthorized users; receiving, from a second one of the plurality ofunauthorized users, a second token indicative of a second serviceprovider associated with the second one of the plurality of unauthorizedusers; determining, based on sending the second token to the secondservice provider, a validity of an identity of the second one of theplurality of unauthorized users; and sending, based on the determining,to the first one of the unauthorized users and to the second one of theunauthorized users, an indication of the credential.
 16. The method ofclaim 15, further comprising: receiving, from a third one of theplurality of unauthorized users, a third token indicative of a thirdservice provider; determining that the token is invalid; and preventingaccess, of the third one of the plurality of unauthorized users, to theindication of the credential.
 17. The method of claim 15, furthercomprising: receiving, from a different user, a fourth token indicativeof a fourth service provider; determining that the identity of thedifferent user associated with the fourth token is different than eachof the identities of the plurality of unauthorized users; and preventingaccess, of the different user, to the indication of the credential. 18.The method of claim 15, the invitation further comprising: an addressassociated with joining the network; and an object comprising at leastan identifier of the network and the credential.
 19. The method of claim15, wherein the first service provider is a first social media entity,and wherein the second service provider is a second, different socialmedia entity.
 20. The method of claim 16, further comprising encryptingthe object prior to the sending the message to the at least one of theplurality of unauthorized users.